Hello,
I’ve written a powershell script that monitors multiple directories for bulk file changes. The idea is to log any users who suddenly start changing files in a specific share (to alert on potential crypto locker attacks).
This is inserting the log entries no problem, now i want to parse them entries and store them to Influx. I’ve configured telegraf with the win_event plugin but have noticed something. I don’t know if its intentional or not 
At the moment i have 3 directories
C:\share
C:\share\folder 1
C:\share\folder 2
These all contain text files currently, if i make a change in all 3 directories my powershell script writes this to the event viewer. Telegraf parses this but only inserts 1 of the records.
The time stamps in the event viewer are the same time, so i was thinking the problem might be all 3 entries have the same time and are seen as one record.
This is a problem as it only records one of the 3 directories. Usually the top most entry.
Has anyone else encountered this? is it by design and is there a work around? I tried setting the config option:
## Parse timestamp from TimeCreated.SystemTime event field.
## Will default to current time of telegraf processing on parsing error or if set to false
timestamp_from_event = false
Thinking that would use the timestamp when telegraf ran the plugin, but the result is the same. Any ideas?
Telegraf 1.7
InfluxDB 1.8
Telegraf is local to the windows machine and Influx is installed on a Linux VM if that matters.
Thanks,
Phil
